EVM, SLIM, IMA - Overview
This is a request for comments on the following patches which implement
two LSM modules, EVM and SLIM-IMA. These patches are also available, along
with sources for associated user space programs, and technical papers,
at http://www.research.ibm.com/gsal/tcpa
in the tpm-3.0.3 package.
The patches (against linux-2.6.14.2) are:
(1/3) EVM - Extended Verification Module
(2/3) SLIM - Simple Linux Integrity Module
(3/3) IMA - Integrity Measurement Architecture
These patches assume that an unmodified stacker and LSM with
the inode_post_create and inode_post_mkdir hooks are already
installed. The patches also assume the existence of a Trusted
Platform Module (TPM) chip which is supported by the existing
linux device driver, along with the trusted boot patch. These
prerequisites patches are already available, and are also included
in the tpm-3.0.3 package for convenience.
The EVM, SLIM, and IMA patches are similar to ones posted a few
weeks ago, but first, they are posted separately, and in-line
(my apologies for the earlier newbie mistake), and they have
been updated to address earlier technical comments, particularly
on the issue of race conditions.
EVM is similar to digsig, in that it provides access control based
on file integrity, but it provides this protection for all files
(not just executables) through a general mechanism of authenticated
extended attributes, based on keys protected by "TPM trusted boot". EVM
is configurable to protect any extended attributes, including those for
SLIM and selinux. In addition, when EVM is LSM stacked, the data and
metadata integrity information can be passed to subsequent modules for
further access control enforcement, such as demoting the integrity level
of any process allowed to access the questionable file (i.e. sandboxing),
and SLIM demonstrates this stacking. EVM performs configurable caching of
the integrity measurement results for performance improvement. As a
result, EVM causes roughly a 5% time penalty at boot, and negligible
overhead after boot, for typical desktop client use.
SLIM provides a simple integrity mandatory access control, similar
to Tim Fraser's LOMAC (a low water-mark MAC kernel module which
predated LSM), but using EVM information to base the decisions on verified
data and metadata, and using EVM to verify the integrity of guard
processes.
The former IMA (Integrity Measurement Architecture) is included as a
configurable part of SLIM. While IMA is not an access control component,
if integrity attestation is desired, it is most efficiently implemented
here, as EVM has normally already measured the files, and SLIM knows which
ones are integrity sensitive, and which should therefore be added to the
TPM registers.
We believe that EVM and SLIM help demonstrate the usefulness of LSM
stacking, and of data and metadata integrity verification as an
integral part of access control decisions.
This is an RFC release, and as such, all
questions and comments will be most appreciated.
dave safford
Mimi Zohar
Reiner Sailer